Digital Forensics - PowerPoint PPT Presentation

Loading...

PPT – Digital Forensics PowerPoint presentation | free to view - id: 8e494-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Digital Forensics

Description:

... Data Recovery and Evidence Collection and Preservation. September 3, 2008 ... 1. Collection; which involves the evidence search, evidence recognition, ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 25
Provided by: chrisc8
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Digital Forensics


1
Digital Forensics
  • Dr. Bhavani Thuraisingham
  • The University of Texas at Dallas
  • Lecture 3
  • Computer Forensics Data Recovery and Evidence
    Collection and Preservation
  • September 3, 2008

2
Data Recovery
  • What is Data Recovery?
  • Role of Backup in Data Recovery
  • Data Recovery Solution
  • Hiding and Recovering Hidden Data

3
What is Data Recovery
  • Usually data recovery means that data that is
    lost is recovered e.g., when a system crashes
    some data may be lost, with appropriate recovery
    procedures the data is recovered
  • In digital forensics, data recovery is about
    extracting the data from seized computers (hard
    drives, disks etc.) for analysis

4
Role of Backup in Data Recovery
  • Databases/files are backed up periodically
    (daily, weekly, hourly etc.) so that if system
    crashes the databases/files can be recovered to
    the previous consistent state
  • Challenge to backup petabyte sized
    databases/files
  • Obstacles for backing up
  • Backup window, network bandwidth, system
    throughout
  • Current trends
  • Storage cost decreasing, systems have to be
    online 24x7
  • Next generation solutions
  • Multiple backup servers, optimizing storage space

5
Data Recovery/Backup Solution
  • Develop a plan/policy for backup and recovery
  • Develop/Hire/Outsource the appropriate expertise
  • Develop a system design for backup/recovery
  • Three tier architectures, caches, backup servers
  • Examine state of the art backup/recovery products
    and tools
  • Implement the backup plan according to the policy
    and design

6
Recover Hidden Data
  • Hidden data
  • Files may be deleted, but until they are
    overwritten, the data may remain
  • Data stored in diskettes and stored insider
    another disk
  • Need to get all the pieces and complete the
    puzzle
  • Analysis techniques (including statistical
    reasoning) techniques are being used to recover
    hidden data and complete the puzzle
  • Reference
  • http//www.forensicfocus.com/hidden-data-analysis-
    ntfs

7
Evidence Collection and Data Seizure
  • What is Evidence Collection
  • Types of Evidence
  • Rules of Evidence
  • Volatile Evidence
  • Methods of Collection
  • Steps to Collection
  • Controlling Contamination

8
What is Evidence Collection
  • Collecting information from the data recovered
    for further analysis
  • Need to collect evidence so that the attacker can
    be found and future attacks can be prevented
    and/or limited
  • Collect evidence for analysis or monitor the
    intruder
  • Obstacles
  • Difficult to extract patterns or useful
    information from the recovered data
  • Difficult to tie the extracted information to a
    person

9
Types of Evidence
  • Testimonial Evidence
  • Evidence supplied by a witness subject to the
    perceived reliability of the witness
  • Word processor documents written by a witness as
    long as the author states that he wrote it
  • Hearsay
  • Evidence presented by a person who is not a
    direct witness
  • Word processor documents written by someone
    without direct knowledge of the incident

10
Rules of Evidence
  • Admissible
  • Evidence must be able to be used in court
  • Authentic
  • Tie the evidence positively to an incident
  • Complete
  • Evidence that can cover all perspectives
  • Reliable
  • There should be no doubt that proper procedures
    were used
  • Believable
  • Understandable and believable to a jury

11
Additional considerations
  • Minimize handling and corruption of original data
  • Account for any changes and keep detailed logs
  • Comply with the 5 basic rules
  • Do not exceed your knowledge need to understand
    what you are doing
  • Follow the security policy established
  • Work fast / however need to be accurate
  • Proceed from volatile to persistent evidence
  • Do not shut down the machine before collecting
    evidence
  • Do not run programs on the affected machine

12
Volatile Evidence
  • Types
  • Cached data
  • Routing tables
  • Process table
  • Kernel statistics
  • Main memory
  • What to do next
  • Collect the volatile data and store in a
    permanent storage device

13
Methods of Collection
  • Freezing the scene
  • Taking a snapshot of the system and its
    compromised state
  • Recover data, extract information, analyze
  • Honeypotting
  • Create a replica system and attract the attacker
    for further monitoring

14
Steps to Collection
  • Find the evidence where is it stored
  • Find relevant data - recovery
  • Create order of volatility
  • Remove external avenues of change no tampering
  • Collect evidence use tools
  • Good documentation of all the actions

15
Controlling Contamination
  • Once the data is collected it should not be
    contaminated, must be stored in a secure place,
    encryption techniques
  • Maintain a chain of custody, who owns the data,
    data provenance techniques
  • Analyze the evidence
  • Use analysis tools to determine what happened
  • Analyze the log files and determine the timeline
  • Analyze backups using a dedicated host
  • Reconstruct the attack from all the information
    collected

16
Duplication and Preservation of Evidence
  • Preserving the Digital Crime Scene
  • First task is to make a compete bit stream backup
    of all computer data before review or process
  • Bit stream backups (also referred to as mirror
    image backups) involve the backup of all areas of
    a computer hard disk drive or another type of
    storage media, e.g., Zip disks, floppy disks,
    Jazz disks, etc. Such backups exactly replicate
    all sectors on a given storage device. Thus, all
    files and ambient data storage areas are copied.
    Bit stream backups are sometimes also referred to
    as 'evidence grade' backups and they differ
    substantially from traditional computer file
    backups and network server backups.
  • http//www.forensics-intl.com/def2.html
  • Make sure that the legal requirements are met and
    proper procedures are followed

17
Digital Evidence Process Model
  • The U.S. Department of Justice published a
    process model in the Electronic Crime Scene
    Investigation A guide to first responders that
    consists of four phases -
  • 1. Collection which involves the evidence
    search, evidence recognition, evidence collection
    and documentation.
  • 2. Examination this is designed to facilitate
    the visibility of evidence, while explaining its
    origin and significance. It involves revealing
    hidden and obscured information and the relevant
    documentation.
  • 3. Analysis this looks at the product of the
    examination for its significance and probative
    value to the case.
  • 4. Reporting this entails writing a report
    outlining the examination process and pertinent
    data recovered from the overall investigation.
  • https//www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf

18
Standards for Digital Evidence
  • The Scientific Working Group on Digital Evidence
    (SWGDE) was established in February 1998 through
    a collaborative effort of the Federal Crime
    Laboratory Directors. SWGDE, as the U.S.-based
    component of standardization efforts conducted by
    the International Organization on Computer
    Evidence (IOCE), was charged with the development
    of cross-disciplinary guidelines and standards
    for the recovery, preservation, and examination
    of digital evidence, including audio, imaging,
    and electronic devices.
  • The following document was drafted by SWGDE and
    presented at the International Hi-Tech Crime and
    Forensics Conference (IHCFC) held in London,
    United Kingdom, October 4-7, 1999. It proposes
    the establishment of standards for the exchange
    of digital evidence between sovereign nations and
    is intended to elicit constructive discussion
    regarding digital evidence. This document has
    been adopted as the draft standard for U.S. law
    enforcement agencies.
  • http//www.fbi.gov/hq/lab/fsc/backissu/april2000/s
    wgde.htm

19
Verifying Digital Evidence
  • Encryption techniques
  • Public/Private key encryption
  • Certification Authorities
  • Digital ID/Credentials
  • Owner signs document with his private key, the
    Receiver decrypts the document with the owners
    public key
  • Owner signs document with the receivers public
    key, Receiver decrypts the document with his
    private key
  • Standards for Encryption
  • Export/Import laws
  • http//esm.cis.unisa.edu.au/new_esml/resources/pub
    lications/digital20forensics20-20exploring20va
    lidation,20verification20and20certification.pdf

20
Conclusion - I
  • Data must be backed up using appropriate
    policies, procedures and technologies
  • Once a crime ahs occurred data ahs to be
    recovered from the various disks and commuters
  • Data that is recovered has to be analyzed to
    extract evidence
  • Evidence has to analyzed to determine what
    happened
  • Use log files and documentations to establish the
    timeline
  • Reconstruct the attack

21
Conclusion - II
  • Standards and processes have to be set in place
    for representing, preserving, duplicating,
    verifying, validating certifying and accrediting
    digital evidence
  • Numerous techniques are out there need to
    determine which ones are useful for the
    particular evidence at hand
  • Need to make it a scientific discipline

22
Links
  • Data Recovery
  • http//www.datatexcorp.com/
  • http//www.forensicfocus.com/hidden-data-analysis-
    ntfs
  • Digital Evidence
  • http//faculty.ncwc.edu/toconnor/426/426lect06.htm
  • http//www.itoc.usma.edu/Workshop/2006/Program/Pre
    sentations/IAW2006-07-1.pdf
  • http//www.e-evidence.info/index.html
  • http//www.digital-evidence.org/
  • http//findarticles.com/p/articles/mi_m2194/is_3_7
    3/ai_n6006624/pg_1
  • http//infohost.nmt.edu/sfs/Students/HarleyKozush
    ko/Presentations/DigitalEvidence.pdf

23
Links Preserving Digital Evidence
  • Preserving Digital Evidence
  • http//www.fbi.gov/hq/lab/fsc/backissu/april2000/s
    wgde.htm (standards)
  • https//www.dfrws.org/2004/day1/Tushabe_EIDIP.pdf
    (process)
  • http//www.logicube.com/logicube/articles/cybersle
    uth_collecting_digital_evidence.asp (hard drive
    duplication)
  • http//www.crime-scene-investigator.net/admissibil
    ityofdigital.html (digital photographs)
  • http//faculty.ncwc.edu/toconnor/426/426lect06.htm
  • http//www.freepatentsonline.com/7181560.html (US
    Patent)
  • http//www.mediasec.com/downloads/veroeffentlichun
    gen/thorwirth2004.pdf (survey)
  • http//www.forensics-intl.com/def2.html (bit
    stream backup)

24
Links Verifying Digital Evidence
  • Verifying Digital Evidence
  • http//esm.cis.unisa.edu.au/new_esml/resources/pub
    lications/digital20forensics20-20exploring20va
    lidation,20verification20and20certification.pdf
    (verification and validation)
  • http//www.forensicmag.com/articles.asp?pid21
  • http//www.forensicmag.com/articles.asp?pid28
    (accreditation, parts 1 and 2)
About PowerShow.com